I launched a windows EC2 instance on AWS but I can't get the password for login. I keep getting this warning message even one day after launching the server.
Password not available yet.
Please wait at least 4 minutes after launching an instance before trying to retrieve the auto-generated password.
Note: Passwords are generated during the launch of Amazon Windows AMIs or custom AMIs that have been configured to enable this feature. Instances launched from a custom AMI without this feature enabled use the username and password of the AMI's parent instance.
And I also tried below command line:
$ aws --profile ie ec2 get-password-data --instance-id i-xxxxx --priv-launch-key my.pem --region ap-southeast-2
but it returns an empty password:
{
"InstanceId": "i-xxxx",
"PasswordData": "",
"Timestamp": "2019-08-05T23:12:04.000Z"
}
So how can I get the password for this EC2 instance?
I have tried to stop/start the instance but it doesn't help.
One possible reason is that the instance is launched from a customised AMI but I also don't know that AMI's password. Is there a way to reset the password?
It's possible that EC2Config is disabled. The empty string you are getting for console output caused by this. It could be an issue with the EC2Config service; either the misconfigured configuration file or that Windows failed to boot properly.
For recovery, I'd say try the password you used at the machine used to create the AMI and if it's not a custom made AMI, try a different one altogether. I'd be more helpful if you can share the AMI ID.
Additionally, if you are looking to recover data on an EBS volume of the server, you can follow this
Related
My Python application is deployed in a docker container on an EC2 instance. Passwords are stored in secrets manager. During runtime, application will make an API call to secrets manager to fetch the password and connect. Since we recreated the instance, it started giving out below error -
botocore.exceptions.NoCredentialsError: Unable to locate credentials
My application code is -
session = boto3.session.Session()
client = session.client(service_name = 'secretmanager', region_name = 'us-east-1')
get_secret_value_response = client.get_secret_value(secretId = secret_name)
If I run -
aws secretmanager get-secret-value --secret-id abc
It works without any issues since IAM policy is appropriately attached to the EC2 instance.
I spent the last 2 days trying to troubleshoot this but am still stuck with no clarity on why this is breaking. Any tips or guidance would help.
The problem was with the HTTPToken variable in the instance metadata options which was defaulted to required with the fresh update. Reverted it back to optional and boto3 is now able to make an API call for instance meta data and inherit its roles.
My goal is to spin up an EC2 instance, make an AMI from that instance, use the custom AMI to spin up a new instance that uses password authentication instead of keys.
I changed /etc/ssh/sshd_config to have PasswordAuthentication yes before creating the AMI, but I still get "permission denied (publickey)" when trying to SSH to the new instance created from the custom AMI.
I followed these steps and they work on the first instance, but then I still get the error when logging into the instance created from the customn AMI.
AWS support fixed my problem, here is their answer:
Make changes to the following lines in /etc/cloud/cloud.cfg file on
the original instance launched in the above steps as follows:
Default
settings:
ssh_pwauth: 0
lock_passwd: true
Settings after modification:
ssh_pwauth: 1
lock_passwd: false
service sshd restart
REFERENCES
https://cloudinit.readthedocs.io/en/latest/topics/examples.html#including-users-and-groups
https://cloudinit.readthedocs.io/en/latest/topics/modules.html
Anyone has any idea what the following error means?
#aws s3 ls
Credentials were refreshed, but the refreshed credentials are still expired.
I running it from the command line on the server, have already updated the keys couple of time but getting this error which i haven't seen before
I spoke with AWS support about this and they provided a resolution that does not involve changing TZs. What they advised was to check the IAM role assigned to your instanc.
Run this from the affected instance.
curl -v http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM-ROLE
Check the expiration date of the
{
"Code" : "",
"LastUpdated" : "",
"Type" : "",
"AccessKeyId" : "",
"SecretAccessKey" : "",
"Token" : "",
**"Expiration" : ""**
}
In my case, the expiration date showed a value from yesterday. These are temporary credentials that should refresh every so often but in this case, they refreshed but the expiration date did not change. This explains the error AWS Credentials Refreshed but Still Expired
To resolve
Simply unattach and re-attach the role associated with your instance to get new temporary credentials and try the S3 command again.
Thanks guys, It's solved now.
I have absolutely no idea what caused it, but I tried following
Re-generate new AWS keys
Recreate user
Change TZ to match the bucket region TZ
uninstall/reinstall the awscli
After doing all of the above I started getting
Could not connect to the endpoint URL: "https://s3.Tokyo.amazonaws.com/"
Which after searching got fixed by swaping in Tokyo with ap-northeast-1.
If you are on your virtual machine, it could be an issue with your timezone. Change it to 'Set time automatically'.
Ideally, detaching and attaching the role works however, in my case, it wasn't working from GUI. So I had to remove the IAM role association from the EC2 server using CLI.
This is what I did:
Open AWS CLI or AWS-Shell that has permissions on EC2
Then find the instance-profile-association ID for your instance id as follows:
ec2 describe-iam-instance-profile-associations --filters Name="instance-id",Values="i-abcq34redfsl34534"
Use the associationID from the output above to disassociate IAM instance profile as follows:
ec2 disassociate-iam-instance-profile --association-id iip-assoc-qwerty123456
Attach the IAM role again from GUI and voilà, it worked.
You can verify the association using the link below on your EC2 instance:
curl -v http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM-ROLE
I had this issue just happen to me and I tried to detach and re-attach the role as specified above. I was unable to detach the role while the server was running, but after shutting down the server the process worked.
I detached the role from the GUI console using the EC2 Instances menu option :
Actions -> Security -> Modify IAM Role
After removing the role and then re-attaching it and starting the server back up, it all worked again.
I am using boto3 to control my EC2 instances on AWS from a python environment, using ec2 and ssm services. I have created an IAM account, that has access to AmazonSSMFullAccess and AmazonEC2FullAccess policies.
ec2 = boto3.client(
'ec2',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
ssm = boto3.client(
'ssm',
region_name='eu-west-1',
aws_access_key_id='…',
aws_secret_access_key='…/…+…'
)
I ran:
ec2.describe_instances()['Reservations']
Witch returned a list of all my instances.
But when I run:
ssm.describe_instance_information()
I get an empty list, though I have at least one instance running on AWS Linux AMI (ami-ca0135b3), and six others on recent Ubuntu AMIs. They are all in eu-west-1 (Ireland).
They should have SSM Agent preinstalled : (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html)
I sshed into the AWS Linux instance, and tried to get the logs for ssm using:
sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log
But nothing happens there when I run my python code. A sequence of messages gets displayed from time to time :
HealthCheck reporting agent health.
error when calling AWS APIs. error details - NoCredentialProviders: no valid providers in chain. Deprecated.
I also tried running a command through the web interface, selected ' AWS-RunRemoteScript' but no instance is shown below.
My goal is to run:
ssm.send_command(
DocumentName="AWS-RunShellScript",
Parameters={'commands': [command]},
InstanceIds=[instance_id],
)
But it gives me the following error, probably due to the previous problem.
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation
The agent is pre-installed, but the instance (not just your IAM user) still needs the proper role to communicate with the systems manager. Particularly this step of Configuring Access to Systems Manager.
By default, Systems Manager doesn't have permission to perform actions
on your instances. You must grant access by using an IAM instance
profile. An instance profile is a container that passes IAM role
information to an Amazon EC2 instance at launch.
You should review the whole configuration guide and make sure you have configured all required roles appropriately.
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/